Industry

Guide to secure age verification

Ensure secure age verification for your business with best practices in ID checks, data security, and privacy compliance.

Orange rectangle with image of a scale in the middle
Last updated:
9/4/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Online businesses that verify a user’s ages must also take care to ensure that any data they collect and store is adequately protected and secured.
  • Data security is required by a number of laws, including the GDPR, COPPA, CCPA/CPRA, and other regulations.
  • Businesses can keep their  age verification processes secur by minimizing unnecessary data collection, ensuring data is appropriately encrypted, offering multiple verification methods to security-conscious users, and working with a verification provider capable of handling PII storage. 

As online age verification has become the norm in more and more industries — from social media to adult entertainment to online gaming, marketplaces, and everything in between — many businesses have had to rethink their approach to the process.

Gone are the days when all a user needed was to complete a simple age gate or self attestation. Today, companies have many more robust options to choose from, including government ID checks, database verification, and even age estimation based on selfie verification.

The good news? All of these systems have been proven to be effective in verifying users’ ages at acceptable assurance levels. 

The bad news? Most also require a company to collect and store sensitive information about their users — names, contact information, birthdates, government IDs, and selfies. This n opens up a new arena of risk: Data privacy and security. 

Simply put, if they’re going to verify users’ ages, businesses must also have measures in place to protect any customer data they collected. Failure to do so can lead to potential regulatory action, in addition to damaged customer trust and brand reputation

Below, we offer a brief refresher on how age verification works and the technologies that underlie it. We also discuss why it’s so important for businesses to have a secure solution in place, and provide a number of best practices that you can use to keep your age verification strategy secure.

eBook
Learn how to navigate the age verification landscape
Get the book

How does online age verification work?

Age verification is the process of verifying that a person is old enough to access age-restricted products, services, or content. The general requirement is that businesses need to verify users’ ages before users can gain access to restricted material.

Online age verification can take a couple of different shapes. Often, it will involve one or multiple of the methods below:

Government ID verification

With government ID verification, the user is prompted to use their device’s camera to take a photo of their government-issued ID. This can be a driver’s license, passport, residency card, or other ID. The ID is then analyzed for authenticity. Finally, the date of birth contained within the ID is extracted and cross-checked against information submitted by the user. 

Database verification

With database verification, the user provides some combination of identifying information about themselves. In addition to date of birth, this will often include their name, contact information (phone number, email), and address. The information is then compared against a third-party database for accuracy. 

Selfie verification

With selfie verification, the user is prompted to capture and upload one or multiple selfies. This selfie is then analyzed using AI — typically an ensemble model or series of micromodels — to determine how old the user is, within a reasonable margin of error. At the same time, the selfie may be analyzed for signs of tampering or being AI-generated, as well. 

A combination approach

As noted above, each of the methods above has its strengths and weaknesses. That’s why multiple methods are often used together to increase assurance. 

Let’s say, for example, that you require a user to verify their age by uploading a photo of their government ID. How do you know that a child didn’t steal their parent’s ID in order to access your website, or use generative AI to create a realistic fake? 

Requiring the user to submit a selfie along with their ID allows you to compare the selfie against the portrait in the ID, which can help you weed out the first scenario. Meanwhile, pairing government ID verification with database verification empowers you to confirm that the information in the ID is accurate, addressing the second scenario above. 

Why does data security matter when it comes to age verification?

In order to verify a user’s age, businesses must collect and store personally identifiable information (PII) about that user. Unfortunately, this PII is also a valuable target for fraudsters, who can use it to steal a user’s identity, create a synthetic identity, or engage in other types of fraud. 

Failure to adequately protect this sensitive data from inappropriate access can have serious negative impacts for your business, ranging from regulatory action to diminished customer trust. 

Regulations

When it comes to age verification, regulations are a double-edged sword. On the one hand are industry-specific regulations that require age verification and establish childrens’ right to use online platforms. On the other, a global patchwork of data privacy laws that limit the collection of data from minors and that dictate how that data must be protected once a business collects it.

Some important data protection regulations you should keep in mind while designing your age verification strategy include:

Penalties for non-compliance vary significantly, but range from a few hundred to a few thousand dollars per instance. 

Customer trust

Do you operate in a jurisdiction free of data privacy regulations? That doesn’t mean you’re in the clear. Even when there is no regulatory incentive to protect customer data, there are still the issues of customer trust and brand reputation that must be considered. 

When a user discovers that their data privacy has been breached, it can cause serious and immediate damage to the customer trust that you’ve spent years building. This loss of trust can make your users rethink whether they want to continue doing business with you, and might even send them to your competitors. This is especially true when children’s data is involved.

Free guide
Learn about age verification's biggest challenges — and how to find a solution that meets your needs
Download now

Secure age verification in the digital era

If you have a goal of achieving secure age verification for your business — and really, you should! — that goal should inform your entire strategy, from the moment you select a solution through final deployment. Some best practices that can help include:

Only collect and store what you need

As a rule of thumb, businesses should aim to collect and store the bare minimum amount of customer information necessary to establish a user’s age at the required assurance level. (The same is true for businesses performing verification of any kind.) 

The reason for this is two-fold. First, keeping data collection to a minimum allows you to minimize the threats associated with a data breach. The less PII you collect and store, the less of a target you are to fraudsters — and the less damage those fraudsters can realize if they breach your systems. 

Second, minimizing how much data and evidence you collect during age verification helps you minimize user friction — not making the verification process too burdensome for users.  This helps reduce the risk of drop offs or failed conversions. 

Learn more about how Persona’s workflows empower you to tailor your age verification approach to minimize unnecessary data collection. 

Follow data encryption best practices 

During both the collection and storage of user data, it’s critical to follow encryption best practices to ensure that it is as secure as possible. This includes ensuring that:

  • Web traffic is encrypted via HTTPS instead of the less secure HTTP protocol 
  • Any stored user data is encrypted using AES-256 encryption, with decryption keys stored on separate hosts and rotated on a regular basis
  • Robust identity access management protocols and other internal controls are in place to limit inappropriate access by your employees and contractors

In selecting an age verification solution, you should choose a partner that is certified to whatever security and privacy standards matter most to your industry. 

Learn more about the steps that Persona takes to secure and protect your user’s data and privacy.

Offer multiple verification options

Some privacy-conscious users may not be comfortable providing certain information or evidence for age verification, such as a government ID. In these instances, you may be able to keep conversions high by offering a other verification options users can choose. 

Another option? Default to the verification method that introduces the lowest level of friction, which will also typically involve the least data collection. Then, based on the risk signals you detect, you can step-up verification with additional friction for users where more assurance is required. 

Learn more about how Persona’s dynamic risk segmentation helps you dynamically segment your users by risk to present the ideal age verification strategy, tailored to each user. 

Work with an age verification provider who will handle PII for you

One final solution to the problem of data security would be to offload the challenge completely — by selecting an age verification provider that will handle PII storage so you don’t have to. 

When you don’t store user PII directly within your systems, you don’t carry the liability that comes with data leaks or breaches. This empowers you to focus on what you do best — providing a pleasant experience to your users — without needing to worry about the specifics of data security. 

Learn more about how Persona’s Accounts can handle PII storage for you.

How Persona can help you achieve secure age verification 

Here at Persona, data privacy and security aren’t an afterthought — they’re an integral part of our age verification solution

Our flexible platform allows you to build the exact verification flow that your business requires, giving you complete control over what information and evidence you collect. Rest easy knowing that we’ll handle PII storage for you, and that every piece of data passing through our systems is encrypted to the highest of industry standards. 

Ready to see how Persona can help you get secure age verification right? Contact us to learn more or get started for free.

Published on:
8/21/2024

Frequently asked questions

No items found.

Continue reading

Continue reading

Build bespoke age verification with Persona
Announcement

Build bespoke age verification with Persona

When thinking about age verification, balancing regulations and privacy can seem overwhelming. That’s why we’re launching a configurable age verification solution built to serve the needs of your business.

Age verification system: How to add it into your business
Industry

Age verification system: How to add it into your business

Any business that sells age-restricted products, provides access to age-gated activities, or delivers services that require adult consent must verify ages. Learn more.

Pouring responsibly: age verification for online alcohol retailers
Industry

Pouring responsibly: age verification for online alcohol retailers

Online alcohol sellers need to reliably verify customers' ages during checkout and delivery. This guide is here to help.

Ready to get started?

Get in touch or start exploring Persona today.